> On 25 Mar 2021, at 00:56, Jacob Champion <pchamp...@vmware.com> wrote:
> Databases that are opened *after* the first one are given their own separate > slots. Any certificates that are part of those databases seemingly can't be > referenced directly by nickname. They have to be prefixed by their token name > -- a name which you don't have if you used NSS_InitContext() to create the > database. You have to use SECMOD_OpenUserDB() instead. This explains some > strange failures I was seeing in local testing, where the order of > InitContext determined whether our client certificate selection succeeded or > failed. Sorry for the latency is responding, but I'm now back from parental leave. AFAICT the tokenname for the database can be set with the dbTokenDescription member in the NSSInitParameters struct passed to NSS_InitContext() (documented in nss.h). Using this we can avoid the messier SECMOD machinery and use the token in the auth callback to refer to the database we loaded. I hacked this up in my local tree (rebased patchset coming soon) and it seems to work as intended. -- Daniel Gustafsson https://vmware.com/
